RAID10 Array, can't boot/decrypt, any thoughts?

Discussion in 'encryption problems' started by MrRDjS, Jul 4, 2014.

  1. MrRDjS

    MrRDjS Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    4
    Raid 10 500GB array, standard windows 7 x64 install, drive encryption

    Restore volume header -> embedded in the volume = no luck
    Mount without pre-boot authentication = no luck
    Tried to restore truecrypt bootloader with other systems TC recovery cd = no luck
    No recovery cd saved.
    I know the password.

    Failed 1-2 drives, raid array failed can't boot anymore.
    Drives replaced, did a rebuild but somehow I don't get the bootloader.
    Installed win7 on another hdd to try and do recovery from there.

    a) anything I can try?
    b) How to find the right offset to look for TC header?

    >>>> PICS <<<<

    I tried a few offsets and made a few 2MB test.tc files with winhex but no luck (incorrect pw)

    I have installed win7 on another hdd, and am working from there do recovery.

    Any thoughts?
     
  2. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    The array just contains data, right? It's not a bootable operating system? In that case there will be no TrueCrypt bootloader and no bootable recovery cd, as those items only apply to system (i.e. operating system) encryption. Also, the "mount without preboot authentication" command doesn't apply. There should, however, be an embedded backup header.

    I don't see any partitions listed on your problem drive, but the presence of plaintext data tells me that you probably used to have one. Did the accident destroy your partition table?

    If I understand your situation correctly then your TrueCrypt header (if it's still intact) will be located at the very beginning of what used to be your partition, although at this point it's merely in free space. I'm not sure where the first partition would begin on a RAID-10 array, but on a single disk you would want to look at offset 1048576 (decimal).
     
  3. MrRDjS

    MrRDjS Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    4
    Hi Dantz, the array is a boot-able win7 x64 operating system.
    What happened to the array is still a bit of a mystery, one drive failed and another was/got probably corrupted / hw failure. After replacing the 2 drives the array was restored but I lost the Truecrypt bootloader /partitions? and have the previously stated state.

    I tried various offsets to try and find my Truecrypt header but no luck so far.

    I also tried to create 2 new partitions 100mb + rest without drive letter and without formatting the "drive" in windows and try to find the Truecrypt header but no luck so far.

    Do you know any offsets that I may be able to test?
    Any help is very much welcome and very much appreciated.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    If you had your rescue disk you could use it to restore the TC bootloader and the volume header. Do you have any data backups that might include the "TrueCrypt Rescue Disk.iso" file? You could use that file to build another rescue disk.
     
  5. MrRDjS

    MrRDjS Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    4
    Hi Dantz, No backups in this case,

    I'm investigating the location of the Truecrypt header on my raid10 setup.

    I have take 4 new drives (4x250gb), made a new raid10 array = 1x 500hdd, I then installed win7x64 on this raid10 array and then after the windows install I did a system encryption with Truecrypt 7.1a.

    This gives me a working setup to try and find the truecrypt header (if I find it on a working setup, then maybe I can find it on my broken raid10 setup), so far I have been unsuccessful, can someone point me out what sector/ofset my 100% working header might be located?

    http://i.imgur.com/8xMOU9d.png

    If I understand it correctly if I take the header +2MB I can then test the testfile in truecrypt to see if the password is accepted?
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    RAID10 is a stripe of mirrors: 1) disks a and b are mirrored; 2) disks c and d are mirrored; and then 3) the two mirrored pairs are striped. Which two of the four disks failed? If it was a and b, or c and d, the data is gone. Otherwise, there should have been no data loss.
     
  7. MrRDjS

    MrRDjS Registered Member

    Joined:
    Jul 4, 2014
    Posts:
    4
    I have yet to determine the cause, and I don't have many hopes of finding the initial cause, no software install/updates had been run, no raid hw failures, no power supply issue, all it took was a reboot of the system and my password was not accepted anymore.

    I'm trying to determine if something, anything messed up the partition layout on my drives, hoping to maybe find an intact header somewhere, for this purpose, I have made a new identical running raid10 setup with the same win7 install trying to find the header on a running 100% working install, but to my own surprise I can't find it in the usual offsets mentioned on this board. I want to find the header and look at the same offset on my damaged raid10 setup.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I don't understand. You say "no raid hw failures", but previously you wrote:
    Which two drives did you replace? That is, what were their roles in the RAID10 array? If they were both members of either mirrored pair, you're wasting your time trying to find the TrueCrypt volume.
     
Loading...